It's surprisingly complex to interpret x-forwarded-for: https://www.brainonfire.net/blog/2022/03/04/understanding-using-xff/ . We will never be able to safely add automated handling.
I *guess* we could add a note to the deployment guide like "check your HTTP_X_FORWARDED_FOR setting". I'm concerned it would be a step towards making the guide too long, and filled with irrelevant details. Most sites don't care about recording the user's IP. On those that do, it should be easy enough to discover the setting. On Sat, Apr 1, 2023 at 4:39 AM Arthur Pemberton <pemb...@gmail.com> wrote: > I have read previous discussions (most recent I could find was Dec 2013 > [1] ) on the inclusion of `HTTP_X_FORWARDED_FOR` based logic to get the > "real" IP address of an HttpRequest. From what I can see, currently there > is currently no automatic handling of `HTTP_X_FORWARDED_FOR` in Django. > > However, I do notice that Django acknowledges `X_FORWARDED_HOST`, > `X_FORWARDED_PORT` and (indirectly) `X_FORWARDED_PROTO` > (though SECURE_PROXY_SSL_HEADER). > > If there is still opposition to having some built-in handling for > `HTTP_X_FORWARDED_FOR`, I think that the deployment guide [1] should at > least mention the need for the developer to handle this explicitly. > > Regards, > Arthur P. > > ---- > > [1] > https://groups.google.com/g/django-developers/c/J5O28jB5D3Q/m/KLLgllFS7v0J > [2] https://docs.djangoproject.com/en/4.1/howto/deployment/ > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/96d735ee-4ac0-4bf4-9850-a49f287e6e2an%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/96d735ee-4ac0-4bf4-9850-a49f287e6e2an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM2zStXs8eHk5icicfdfGJtYT%3DeQaQK%3DHST0cmL4Yd1WCg%40mail.gmail.com.
